More relaxed RFC 5280 checks (Windows MDM related)

[thierryba]

Hello,

We are developing a software that accepts CSR from different sources. One of them is Microsoft Windows MDM. It turns out in some cases it can use a ! character inside a PrintableString (for some reason sometimes they use UTF8String and sometimes PrintableString). This results in cryptography starting with v45 to fail with

ValueError: error parsing asn1 value: ParseError { kind: InvalidValue, location: [0, 0, "AttributeTypeValue::value", "AttributeValue::PrintableString"] }

Now we do know that the problem is essentially on Microsoft's side but we cannot circumvent this easily and I doubt that even if they wanted to they could not fix that easily on all the windows 11 that are already out there.

So could you make this check a bit more relaxed?

[alex]

Can you explain a bit more about the circumstances in which MDM is using "!" in PrintableString?

Have you notified Microsoft of this issue?

[thierryba]

@alex WE did create this question https://learn.microsoft.com/en-us/answers/questions/5549715/windows-seems-to-create-invalid-csrs-on-enrolment but got no feedback so far. There are some details in it.
In our testing environment it seems to happen (at least more) when using Windows VMs. We are not sure of what causes this.

[alex]

Thank you for filing this! I'll see if I can find someone at MS to escalate this to.

The issue was observed only on VMs, Windows running on real hardware sends CSRs with commonName as UTF8String.

Truly baffling.

[thierryba]

@alex thank you for taking this seriously. May I ask if there is any news on that front?

[alex]

No update ATM.